A method of rotating a set of keys, having a media encryption key (MEK) and a current media encryption key encryption key (MEKEK) encrypted and stored in a self-encrypting drive (SED) having data encrypted with the MEK (MEK(data)), includes decrypting the stored MEK and the current MEKEK. A new MEK (MEK′) and a new MEKEK (MEKEK′) are generated. The MEKEK′ is encrypted to replace the current encrypted MEKEK. A concatenation of the MEK and the MEK′ is encrypted with MEKEK′. The encrypted data MEK(data) is re-encrypted with MEK′.